[8685] in cryptography@c2.net mail archive
Re: Requesting feedback on patched RC4-variant
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Tue Apr 24 22:56:33 2001
From: "Steven M. Bellovin" <smb@research.att.com>
To: Greg Rose <ggr@qualcomm.com>
Cc: nikitab@cs.berkeley.edu (Nikita Borisov),
cryptography@wasabisystems.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Tue, 24 Apr 2001 18:23:48 -0400
Message-Id: <20010424222348.A83337B60@berkshire.research.att.com>
In message <4.3.1.0.20010425074018.01ae4660@203.30.171.11>, Greg Rose writes:
>
>Anyway, as a lover of stream ciphers, I just get upset when people point
>out the bit-twiddling attack, without realising that they are implicitly
>endorsing using block ciphers without robust integrity protection instead.
>If it needs integrity protection, add a MAC, and the ciphers are on even
>ground again.
>
Not quite, for reasons that are illustrated by the WEP incident.
If you reuse a key with a stream cipher, the results are catastrophic.
That isn't true with, say, CBC and a block cipher. Furthermore, the
bit-twiddling attack on a stream cipher without a MAC is more serious
than the corresponding attack on CBC, since the attacker can change
particular bits without error propagation.
To be sure, MACs are very much needed with either cipher, but the
failure modes aren't always the same.
--Steve Bellovin, http://www.research.att.com/~smb
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
